RFR: 8349759: Fix CertificateBuilder and SimpleOCSPServer test utilities to support PQC algorithms
Bernd
duke at openjdk.org
Tue Feb 11 23:47:11 UTC 2025
On Tue, 11 Feb 2025 17:50:45 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:
> This fix makes some minor changes to the internals of the `CertificateBuilder` and `SimpleOCSPServer` test classes. They would break when ML-DSA was selected as key and signing algorithms. Also RSASSA-PSS works better now with these changes. I've also taken this opportunity to do some cleanup on CertificateBuilder and added a method which uses a default signing algorithm based on the key, so the `build()` method no longer needs to provide that algorithm (though one can if they wish for things like RSA signatures if they want a different message digest in the signature).
Interesting! Is there no JEP Level Initiative for This? Did you do any Interop Testing, in fact are there already Root CAs offering such certificates? Does it apply Cross key typen? (ML-DSA issue signature on a ECDSA key or vice versa?)
-------------
PR Comment: https://git.openjdk.org/jdk/pull/23566#issuecomment-2652309271
More information about the core-libs-dev
mailing list